docker-deployment

skills-sh:pluginagentmarketplace_custom-plugin-nodejs__docker-deployment

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

Docker environment credentials CRED_017

credential-leak L114

Detects Docker or docker-compose commands passing credentials via environment variables

environment:
      - POSTGRES_USER=myapp
      - POSTGRES_PASSWORD=

FIX

Remove credential values from Docker environment flags (-e) and docker-compose environment sections. Use Docker secrets, .env files (in .dockerignore), or a secrets manager.

FP?

Likely FP if the Docker environment variable has an empty or placeholder value (e.g., -e API_KEY= or -e PASSWORD=changeme) in setup documentation.

LOW

Docker pull and run untrusted image EXTDL_015

external-download L319

Detects pulling and running Docker images from external registries

docker pull username/myapp

FIX

Pin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.

FP?

Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L391

Detects references to raw.githubusercontent.com on mutable branches like main/master

github.com/nodejs/docker-node/blob/main/docs/BestPractices.md)

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.